Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of November 27 - December 3. Sign up to get these updates right to your inbox!
Mitsubishi Electric MELSEC iQ-R Series contains an improper input validation vulnerability that could allow a remote unauthenticated attacker to cause a denial-of-service condition on a target product by sending specially crafted packets.
Sources: Mitsubishi Electric Advisory, CISA
Horner Automation Remote Compact Controller (RCC) 972 contains inadequate encryption strength, use of hard-coded cryptographic key and excessive reliance on global variables vulnerabilities that could lead to an attacker gaining complete control of affected devices.
Sources: Horner Automation Update, CISA
BD BodyGuard Pumps contain a missing protection mechanism for alternate hardware interface vulnerability that could lead to an attacker changing configuration settings or disabling the pump.
Sources: BD Advisory, CISA
Mitsubishi Electric GOT2000 Series contains an improper input validation vulnerability that could lead to a denial-of-service condition.
Sources: Mitsubishi Electric Advisory, CISA
Hitachi Energy PCM600 contains a cleartext storage of sensitive information vulnerability that could lead to an attacker gaining sensitive credentials and having access to the affected products, performing unauthorized modifications or causing a denial-of-service condition.
Sources: Hitachi Energy Advisory, CISA
Hitachi Energy MicroSCADA X SYS600 and MicroSCADA ProHitachi Energy contain an improper input validation vulnerability that could allow an unauthorized user to execute administrator level scripts.
Sources: Hitachi Energy Advisory, CISA
The Moxa UC Series contains an improper physical access control vulnerability that could allow an attacker with physical access to take full control of the device using the console port.
Sources: Moxa Support, CISA
Mitsubishi Electric GX Works3 and MX OPC UA Module Configurator-RMitsubishi Electric contain cleartext storage of sensitive information, use of hard-coded password, insufficiently protected credentials, use of hard-coded cryptographic key and cleartext storage of sensitive information in memory vulnerabilities that could lead to unauthorized users obtaining access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs.
Sources: Mitsubishi Electric Updates, CISA
Mitsubishi Electric MELSEC and MELIPC Series contain uncontrolled resource consumption, improper handling of length parameter inconsistency and improper input validation vulnerabilities that could lead to a denial-of-service condition.
Sources: Mitsubishi Electric Advisory, CISA
Omron PLC CJ and CS Series contain authentication bypass by spoofing, authentication bypass by capture-replay and unrestricted externally accessible lock vulnerabilities that could lead to an attacker gaining the status information of a PLC.
Sources: Omron Advisory, CISA
